Troj/VB-ZD is a Trojan dropper for windows based systems. The Trojan sets up a Trojan proxy on an infected computer.
Troj/VB-ZD creates a copy of itself named ipconfig.sys in the folder it was originally run from. The Trojan then drops four files - mswinsck.ocx and bsmtp.dll into the Windows system folder, and rundll32.exe and svchost.exe into the same folder that the Trojan was originally run from. Mswinsk.ocx is a clean Microsoft file, and bsmtp.dll is a clean file that provides an SMTP mail engine for other programs to use. Rundll32.exe is part of the Trojan, also detected as Troj/VB-ZD, and it is this component that drops and configures the file svchost.exe.
Svchost.exe is a Trojan proxy, and is detected as Troj/SkSocket-C. Once the proxy has been copied to the system folder, it is then configured, and an email notification sent to a specified address informing a remote intruder that the computer is infected, and which port it can be contacted on.
Troj/VB-ZD creates the following registry entries to ensure that it is started at system start up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Background Intelligent Transfer Service
<Path to Trojan>/rundll32.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Network Connections
<Path to Trojan>/internat.exe
This results in an email being sent to a remote intruder every time the system is started, informing the intruder that the infected computer is ready for use.
When Troj/VB-ZD is registered as a service it creates entries under the following registry entry, and has its startup type set to automatic so it is run whenever the system starts:
HKLM\SYSTEM\CurrentControlSet\Services\
SkServer
Troj/VB-ZD has a display name of "Snake SockProxy Service".